Thursday, April 23, 2009

FTC and HHS Issue Proposed Rules on Breach Notification

By Mehmet Munur

Both the Federal Trade Commission and the Department of Health and Human Services issued proposed regulations last week to satisfy their obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was a part of the American Recovery and Reinvestment Act of 2009. The FTC rules address the obligations of non-HIPAA covered entities such as vendors of personal health records and third party service providers, while the HHS rules address the procedures required to secure unprotected health care information. Affected entities should invest in technologies that prevent and detect breaches and also draft and implement policies to notify the appropriate parties when they do occur.

FTC Proposed Regulations:

While the FTC proposed regulations track the HITECH Act in many respects, they differ in others. The definitions of the terms business associate, HIPAA-covered entity, personal health record, PHR identifiable health information, vendor of personal health records, and unsecured stay substantially the same as under the HITECH act. However, the FTC adds more substance around the concepts of third party service providers, presumption for acquisition, notification of senior officials in vendors in a breach, and discovery of data breaches.

While PHR related entities and third party service provider are non-HIPAA covered entities, they are, nevertheless, covered by the HITECH Act’s breach notification provisions enforced by the FTC. Third party service providers include “entities that provide billing or data storage services to vendors of personal health records or PHR related entities.” Such services certainly include the likes of Google Health and Microsoft HealthVault. Both services have been in the spotlight recently. Google Health recently signed up CVS and HealthVault recently announced a partnership with the Mayo clinic.

Due to the difficulty in determining whether access results in acquisition of data, the proposed FTC regulations enhance the definition of breach by adding language that creates a presumption of unauthorized acquisition where unauthorized access has taken place. However, the vendor or the PHR related entity may rebut this presumption where it “has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.”

The proposed regulations also require entities to notify senior officials in vendors or PHR related entities and to obtain an acknowledgement in the event of a breach. The FTC also prevents entities from ignoring a breach by making inability to reasonably ascertain a breach to be a violation of the regulations. On the other hand, the failure to discover a breach would not constitute a violation of the rules if the organization had strong breach detection measures and still failed to detect it. Therefore, breach detection is almost as important as breach notification under the proposed regulations.

The FTC expects the rules to affect about 900 entities and cost a total of $1 million for 11 breaches per year. The FTC appears to be concerned about some overlap between the FTC and the HHS regulations and is therefore seeking comments on the dual role of certain entities which would bring them under the scrutiny of the both FTC and the HHS. More detail on the proposed rules can be found at the FTC website.

HHS Proposed Regulations:

The regulations proposed by the HHS mainly concern the definition of the term “unsecured” as it modifies “protected health information” under the HITECH Act. This term is crucial as notification is not necessary if the protected health information is secured.

If the Secretary had not issued timely guidance, the term “unsecured protected health information” would have meant “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).” Now that the HHS has proposed these regulations, protected health information will be secured if it is encrypted or destroyed. However, such encryption and destruction will have to abide by the strict requirements of National Institute of Standards and Technology Special Publications on encrypting and destroying data.

The HHS relies on the existing HIPAA Security Rule for encryption and requires “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” where the keys for decryption have not been breached. However, as a new measure, the HHS issued an exhaustive list of NIST publications for encrypting data at rest and for encrypting data in motion. For example, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, recommends that travelling laptops should be secured using full-disk encryption and pre-boot authentication. HHS also requires that electronic media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, which requires that magnetic hard drives be purged using “Secure Erase” or degaussing, making them inoperable. The HHS is seeking public comments on the adequacy of some of these methods. More detail about the HHS proposed rules can be found at the HHS website.

The comment period for both sets of regulations will last until June and the agencies should issue interim final rules by August, which may result in changes to the proposed regulations. In addition, Congress may create a federal breach notification law after it receives the joint FTC-HHS report on the entities the HITECH Act regulates. Nevertheless, both HIPAA covered entities and non-HIPAA covered entities should invest in technologies and policies to prevent data breaches that may affect their bottom lines through breach notification costs, regulatory fines, and tarnished brands.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.